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Abstract. Several identity based and implicitly authenticated key agreement pro- 
tocols have been proposed in recent years and none of them has achieved all re- 
quired security properties. In this paper, we propose an efficient identity-based 
and authenticated key agreement protocol IDAK using Weil/Tate pairing. The se- 
curity of IDAK is proved in Bellare-Rogaway model. Several required properties 
for key agreement protocols are not implied by the Bellare-Rogaway model. We 
proved these properties for IDAK separately. 



1 Introduction 

Key establishment protocols are one of the most important cryptographic primitives 
that have been used in our society. The first unauthenticated key agreement protocol 
based on asymmetric cryptographic techniques were proposed by Diffie and Hellman 
IfTSll . Since this seminal result, many authenticated key agreement protocols have been 
proposed and the security properties of key agreement protocols have been extensively 
studied. In order to implement these authenticated key agreement protocols, one needs 
to get the corresponding party's authenticated public key. For example, in order for Al- 
ice and Bob to execute the NIST recommended MQV key agreement protocol |20 26), 
Alice needs to get an authenticated public key for Bob and Bob needs to get an 
authenticated public key g"- for Alice first, where a and h are Alice and Bob's private 
keys respectively. One potential approach for implementing these schemes is to deploy 
a public key infrastructure (PKI) system, which has proven to be difficult. Thus it is 
preferred to design easy to deploy authenticated key agreement systems. Identity based 
key agreement system is such an example. 

In 1984, Shamir 13211 proposed identity based cryptosystems where user's identities 
(such as email address, phone numbers, office locations, etc.) could be used as the public 
keys. Several identity based key agreement protocols (see, e.g., ffl I|17 22 27 30 3 1 33 36i38l ) 
have been proposed since then. Most of them are not practical or do not have all re- 
quired security properties. Joux 1 18 1 proposed a one-round tripartite non-identity based 
key agreement protocol using Weil pairing. Then feasible identity based encryption 
schemes based on Weil or Tate paring were introduced by Sakai, Ohgishi, and Kasa- 
hara ||30l and later by Boneh and Franklin |7| independently. 

Based on Weil and Tate pairing techniques. Smart |36|, Chen-Kudia ifTTI . Scott ||3T1 . 
Shim ll33l , and McCulIagh-Barreto ll22l designed identity based and authenticated key 
agreement protocols. Chen-Kudla fTTj showed that Smart's protocol is not secure in 
several aspects. Cheng et al. |,13J pointed out that Chen-Kudla's protocol is not secure 



againt unknown key share attacks. Scott's protocol is not secure against man in the 
middle attacks. Sun and Hsieh ||37l showed that Shim's protocol is insecure against key 
compromise impersonation attacks or man in the middle attacks. Choo 1 14'] showed that 
McCullagh and Barreto's protocol is insecure against key revealing attacks. McCullagh 
and Barreto E3l revised their protocol. But the revised protocol does not achieve weak 
perfect forward secrecy property. In this paper, we propose an efficient identity based 
and authenticated key agreement protocol achieving all security properties that an au- 
thenticated key agreement protocol should have. 

The advantage of identity based key agreement is that non-PKI system is required. 
The only prerequisite for executing identity based key agreement protocols is the de- 
ployment of authenticated system-wide parameters. Thus, it is easy to implement these 
protocols in relatively closed environments such as government organizations and com- 
mercial entities. 

The remainder of this paper is organized as follows. In f|2]we briefly describe bi- 
linear maps, bilinear Diffie-Hellman problem, and its variants. In 5|3] we describe our 
identity based and authenticated key agreement protocol IDAK. ij4] describes a secu- 
rity model for identity based key agreement. In section |]5] we prove the security of 
IDAK key agreement protocol. In sections i]6]and ^ we discuss key compromise im- 
personation resilience and perfect forward secrecy properties of IDAK key agreement 
protocol. 

2 Bilinear maps and the bilinear Diffie-Hellman assumptions 

In the following, we briefly describe the bilinear maps and bilinear map groups. The 
details could be found in Joux ifTSl and Boneh and Franklin JT). 

1 . G and Gi are two (multiplicative) cyclic groups of prime order q. 

2. 5 is a generator of G. 

3. eiGxG— S'Giisa bilinear map. 

A biUnear map is a map e : G x G — !> Gi with the following properties: 

1. bihnear: for all gi,g2 £ G, and x,y & Z, we have e{gf, gf) — e{gi,g2)^^- 

2. non-degenerate: e{g,g) ^ 1. 

We say that G is a bilinear group if the group action in G can be computed efficiently 
and there exists a group Gi and an efficiently computable bilinear map e : G x G — > Gi 
as above. Concrete examples of bilinear groups are given in |18 7|. For convenience, 
throughout the paper, we view both G and Gi as multiplicative groups though the con- 
crete implementation of G could be additive elliptic curve groups. 

Throughout the paper efficient means probabilistic polynomial-time, negligible refers 
to a function which is smaller than 1/fc^ for all c > and sufficiently large k, and 
overwhelming refers to a function 1 — for some negligible e^. Consequently, a func- 
tion 5k is non-negligible if there exists a constant c and there are infinitely many k such 
that 5k > We first formally define the notion of a bilinear group family and com- 
putational indistinguishable distributions (some of our terminologies are adapted from 
Boneh Q). 



Bilinear group families A bilinear group family Q is a set Q = {Gp} of bilinear groups 
Gp — (G, Gi, e) where p ranges over an infinite index set, G and Gi are two groups 
of prime order qp, and e : G x G ^ Gi is a bilinear map. We denote by \p\ the 
length of the binary representation of p. We assume that group and bilinear operations 
in Gp = (G, Gi, e) are efficient in \p\. Unless specified otherwise, we will abuse our 
notations by using q as the group order instead of qp in the remaining part of this paper. 
Instance generator An Instance Generator, XQ, for a bilinear group family is a 
randomized algorithm that given an integer k (in unary, that is, 1*^), runs in polynomial- 
time in k and outputs some random index p for Gp = (G, Gi, e), and a generator g 
of G, where G and Gi are groups of prime order q. Note that for each k, the Instance 
Generator induces a distribution on the set of indices p. 

The following Bilinear Diffie-Hellman Assumption (BDH) has been used by Boneh 
and Franklin [71 to show security of their identity -based encryption scheme. 
Bilinear Diffle-Hellman Problem Let Q = {Gp} be a biUnear group family and g be 
a generator for G, where Gp = (G, Gi, e). The BDH problem in Q is as follows: given 
{g,g^,g^,g^) for some x,y,z G Z*, compute e{g,g)^y^ G Gi. A CBDH algorithm 
C for ^ is a probabilistic polynomial-time algorithm that can compute the function 
BDHg(g^, 5^, g^) — e{g,g)^y^ in Gp with a non-negligible probability. That is, for 
some fixed c we have 

Pr[C(p,5,5^ff^5^) = e(3,3P1>;^ (D 

where the probability is over the random choices of x, y, z in Z*, the index p, the 
random choice of g £ G, and the random bits of A. 

CBDH Assumption. The bilinear group family Q ~ {Gp} iaf/i^ei the CBDH- Assumption 
if there is no CBDH algorithm for Q. A perfect-CBDH algorithm C for 5 is a proba- 
bilistic polynomial-time algorithm that can compute the function BDHg((7^, g^,g^) = 
e{g, gY"^^ in Gp with overwhelming probability. Q satisfies the perfect-CBDH- Assumption 
if there is no perfect-CBDH algorithm for Q. 

Theorem 1. A bilinear group family Q satisfies the CBDH-Assumption if and only if it 
satisfies the perfect-CBDH-Assumption. 

Proof. See Appendix. □ 
Consider Joux's tripartite key agreement protocol ifTSl : Alice, Bob, and Carol fix 
a bilinear group (G, Gi, e). They select x, y, z €r Z* and exchange g^, g^, and g^. 
Their shared secret is e{g, gY^^ . To totally break the protocol a passive eavesdropper. 
Eve, must compute the BDH function: BDHg(g^, g**, g^) = e{g, gY^^- 

CBDH-Assumption by itself is not sufficient to prove that Joux's protocol is useful 
for practical cryptographic purposes. Even though Eve may be unable to recover the en- 
tire secret, she may still be able to predict quite a few bits (less than c log k bits for some 
constant c; Otherwise, CBDH assumption is violated) of information for e{g, gY^^ with 
some confidence. If e(g, gY'^''^ is to be the basis of a shared secret key, one must bound 
the amount of information Eve is able to deduce about it, given g^, 5^, and g^. This is 
formally captured by the, much stronger. Decisional Bilinear Diffie-Hellman assump- 
tion (DBDH-Assumption) 



Definition 1. Let {Xp} and {3^p} be two ensembles of probability distributions, where 
for each p both Xp and yp are defined over the same domain. We say that the two 
ensembles are computationally indistinguishable if for any probabilistic polynomial- 
time algorithm V, and any c> Owe have 

\Pv[D{Xp) = l]-Pv[D{yp) = l]\<^^ 

for all sufficiently large k, where the probability is taken over all Xp, yp, and internal 
coin tosses ofT>. 

In the remainder of the paper, we will say in short that the two distributions Xp and yp 
are computationally indistinguishable. 

Let Q = { Gp } be a biUnear group family. We consider the following two ensembles 

of distributions: 

- {A'p} of random tuples {p, g, g^, g^,g^, e{g,g)'-), where 5 is a random generator of 
G (Gp = (G, Gi , e)) and x,y, z,t (Er Zq. 

- {yp} of tuples {p,g,g^ ,gy ,e{g,gYy^), where 5 is a random generator of G 
and a:, J/, z &r Zq. 

An algorithm that solves the Bilinear Diffie-Hellman decision problem is a polyno- 
mial time probabilistic algorithm that can effectively distinguish these two distributions. 
That is, given a tuple coming from one of the two distributions, it should output or 
1, and there should be a non-negligible difference between (a) the probability that it 
outputs a 1 given an input from {Xp}, and (b) the probability that it outputs a 1 given 
an input from {yp}. The bihnear group family Q satisfies the DBDH-Assumption if the 
two distributions are computationally indistinguishable. 

Remark. The DBDH-Assumption is implied by a slightly weaker assumption: perfect- 
DBDH- Assumption. A perfect-DBDH statistical test for Q distinguishes the inputs from 
the above {Xp} and {yp} with overwhelming probability. The bilinear group family Q 
satisfies the perfect-DBDH-Assumption if there is no such probabilistic polynomial- 
time statistical test. 

3 The scheme IDAK 

In this section, we describe our identity-based and authenticated key agreement scheme 
IDAK. Let k be the security parameter given to the setup algorithm and IQ be a bilinear 
group parameter generator We present the scheme by describing the three algorithms: 
Setup, Extract, and Exchange. 

Setup: For the input k £ Z+, the algorithm proceeds as follows: 

1. Run IQ on k to generate a bilinear group Gp — {G, Gi,e} and the prime order q 
of the two groups G and Gi. 

2. Pick a random master secret a € Z*. 

3. Choose cryptographic hash functions H : {0, 1}* — )■ G and n : G x G ^ Z*. In 

the security analysis, we view H and tt as random oracles. In practice, we take tt 
as a random oracle (secure hash function) from G x G to nog oi 72 (see Appendix 
for details). 



The system parameter is {q, g, G, Gi, e, H, vr) and the master secret key is a. 
Extract: For a given identification string ID e {0, 1}*, the algorithm computes a gen- 
erator giD — -ff (ID) £ G, and sets the private key diD = .gfo where a is the master 
secret key. 

Exchange: For two participants AUce and Bob whose identification strings are ID^i and 
IDs respectively, the algorithm proceeds as follows. 

1. Alice selects x Z*, computes Ra ~ fffD^' ^"'^ sends it to Bob. 

2. Bob selects y Z*, computes Rb = 3idb' '^^'^ sends it to Alice. 

3. Alice computes sa — "^{Ra, Rb), sb = t^{Rb, Ra), and the shared secret skAB 
as 

e(5iD.,5iDj(^+-)(^+-)" = e {4Z'^\gtE^ ■ Rb) ■ 

4. Bob computes sa — t^{Ra, Rb), sb — t^{Rb, Ra), and the shared secret sksA 
as 

In the next section, we will show that IDAK protocol is secure in Bellare and Rog- 
away [4] model with random oracle plus DBDH- Assumption. We conclude this section 
with a theorem which says that the shared secret established by the IDAK key agree- 
ment protocol is computationally indistinguishable from a random value. 

Theorem 2. Let Q — {Gp} be a bilinear group family, Gp — (G, Gi, e), and gi, g2 be 
random generators of G. Assume that DBDH-Assumption holds for Q. Then the distri- 
butions {g,,g2, gf , e(5i, 52)("+"(»-^^"»(^+"('^-«^»") (si, 52, 5^ fff , e(^ 
are computationally indistinguishable, where a, x, y, z are selected from Z* uniformly. 

Before we give a proof for Theorem|2] we first prove two lemmas that will be used 
in the proof of the Theorem. 

Lemma 1. (Naor and Reinsold l[24\l ) Let Q = {Gp} be a bilinear group family, Gp = 
(G, Gi, e), m be a constant, g be a random generator of G, and g = e{g, g). Assume 
that the DBDH-Assumption holds for Gp. Then the two distributions (7^, (g^'^^^' : 
I w)) and {TZ, [g"'^' : i^j, I < m)) are computationally indistinguishable. Here 
TZ denotes the tuple {g, {g^% g^^ , g^' '■ i, j,l < m)) and Xi, yj, zi, Uiji Zq. 

Proof. Using a random reduction, Naor and Reingold ll24l Lemma 4.4] (see also Shoup 
If35 §5.3.2] showed that the two distributions {TZ, (5^'* ■ i,j < m)) and (7^, (g"'^ : 
i,j < m)) are computationally indistinguishable. The proof can be directly modified 
to obtain a proof for this Lemma. The details are omitted. □ 

Lemma 2. Let Q = {Gp} be a bilinear group family, Gp — (G, Gi, e), g be a random 
generator of G, g ~ e{g,g), and fi and f^ be two polynomial-time computable func- 
tions. If the two distributions X\ = {TZ, g^^ ^^"^ ,9'^^^^^) <^nd [Vi = (JZ, g^^ , g^^) are com- 
putationally indistinguishable, then the two distributions X2 = {TZi, g-^'-^^^^-^^^^^) and 
3^2 — {TZ2 , g^) are computationally indistinguishable, where TZ — {g, {g^* : 1 < * < m)), 
X = (xi, . . . ,Xjn), andxi, zi,Z2,z Gr Zq. 



Proof. See Appendix. 

Proof of Theorein|2]Let g — e{g,g) .By LemmalT] the two distributions 



□ 



X {g, g'^ ^ g^ , gv , g^'^y , g^'^-^is^gn ^ g'^y^ig'' ,9'') ^ g»^ia\g'')-^ig\an) and 

are computationally indistinguishable assuming that DBDH-Assumption holds for Q, 
where g is a random generator of Gp and a, x, y, z[, z'^, z'^, z'^ Zq. Since tt is a 
fixed function from G to Z* and g is a prime, it is straightforward to verify that for 
any a,x,y G Zq, g4'^(s".9"), g4^(9".s"), and g4^(9".s")'^(9"^9") are uniformly (and 
independently of each other) distributed over Gi . It follows that the distribution 

is computationally indistinguishable from the distribution y, where zi, Z2, ^3, 2^4 Gij 
Zq. Thus X and Z are computationally indistinguishable. The Theorem now follows 
from Lemma 12] □ 



4 The security model 

Our security model is based on Bellare and Rogaway security models for key agree- 
ment protocols with several modifications. In our model, we assume that we have at 
most m < poly(fc) protocol participants (principals): IDi, . . . , ID„i, where k is the se- 
curity parameter. The protocol determines how principals behave in response to input 
signals from their environment. Each principal may execute the protocol multiple times 
with the same or different partners. This is modelled by allowing each principal to have 
different instances that execute the protocol. An oracle 77f ^ models the behavior of the 
principal ID^ carrying out a protocol session in the belief that it is communicating with 
the principal IDj for the sth time. One given instance is used only for one time. Each 
n^j maintains a variable view (or transcript) consisting of the protocol run transcripts 
so far. 

The adversary is modelled by a probabilistic polynomial time Turing machine that 
is assumed to have complete control over all communication links in the network and 
to interact with the principals via oracle accesses to Ufj . The adversary is allowed to 
execute any of the following queries: 

- Extract (ID). This allows the adversary to get the long term private key for a new 
principal whose identity string is ID. 

- Send{IIf j, X). This sends message X to the oracle ^ The output of Ufj is 
given to the adversary. The adversary can ask the principal IDi to initiate a session 
with IDj by a query Send(i7f j , A) where A is the empty string. 

- Reveal(i7f j). This asks the oracle to reveal whatever session key it currently 
holds. 

- Corrupt(i). This asks IDi to reveal the long term private key diD; • 



The difference between the queries Extract and Corrupt is that the adversary can use 
Extract to get the private key for an identity string of her choice while Corrupt can 
only be used to get the private key of existing principals. 

Let nfj be an initiator oracle (that is, it has received a A message at the beginning) 
and i7|j be a responder oracle. If every message that 77*^ sends out is subsequently 
delivered to U^^ , with the response to this message being returned to 77* as the next 
message on its transcript, then we say the oracle 771^ matches 77^* . Similarly, if every 
message that 77|j receives was previously generated by 77/^ , and each message that 
77?^ sends out is subsequently delivered to 77^* , with the response to this message being 
returned to 77|j as the next message on its transcript, then we say the oracle 77^* matches 
77Jj . The details for an exact definition of matching oracles could be found in |3 1. 

For the definition of matching oracles, the reader should be aware the following 
scenarios: Even though the oracle 77^* thinks that its matching oracle is 77*^, the real 
matching oracle for 77^* could be 77*^. For example, if 77^* sends a message X to 77*^ 
and 77|j replies with Y. The adversary decides not to forward the message Y to 77^* . 
Instead, the adversary sends the message X to initiate another oracle 77jj and ID; does 
not know the existence of this new oracle 77*^. The oracle 77*^ replies with Y' and 
the adversary forwards this Y' to 77^* as the responding message for X. In this case, 

the transcript of 77^* matches the transcript of 77jj . Thus we consider 77^* and 77*^ as 
matching oracles. In another word, the matching oracles are mainly based the message 
transcripts. 

In order to define the notion of a secure session key exchange, the adversary is given 
an additional experiment. That is, in addition to the above regular queries, the adversary 
can choose, at any time during its run, a Test (77* j ) query to a completed oracle 77*^ 
with the following properties: 

- The adversary has never issued, at any time during its run, the query Extract (ID^) 
or Extract (IDj ). 

- The adversary has never issued, at any time during its run, the query Corrupt (i) 
or Corrupt(j/). 

- The adversary has never issued, at any time during its run, the query Reveal(77fj ). 

- The adversary has never issued, at any time during its run, the query Reveal(77* ^ ) 
if the matching oracle 77* ^ for 77* ^ exists (note that such an oracle may not ex- 
ist if the adversary is impersonating the IDj to the oracle 77*^). The value of s 
may be different from the value of s' since the adversary may run fake sessions to 
impersonate any principals without victims' knowledge. 

Let skf j be the value of the session key held by the oracle 77*^ that has been established 
between ID^ and IDj. The oracle 77*^ tosses a coin b <—fi {0, 1}. If 6 = 1, the adver- 
sary is given skf j. Otherwise, the adversary is given a value r randomly chosen from 
the probability distribution of keys generated by the protocol. In the end, the attacker 
outputs a bit b'. The advantage that the adversary has for the above guess is defined as 



Adv-^(fc) = 



Pr[6 = fe']-i 



Now we are ready to give the exact definition for a secure key agreement protocol. 

Definition 2. A key agreement protocol U is BR-secure if the following conditions are 
satisfied for any adversary: 

1. If two uncorrupted oracles U^^ and 11 have matching conversations (e.g., the ad- 
versary is passive) and both of them are complete according to the protocol 11, then 
both oracles will always accept and hold the same session key which is uniformly 
distributed over the key space. 

2. Adv^ (k) is negligible. 

In the following, we briefly discuss the attributes that a BR-secure key agreement 
protocol achieves. 

- Known session keys. The adversary may use Reveal(i7f j) query before or after 
the query Test(7T|^ ). Thus in a secure key agreement model, the adversary learns 
zero information about a fresh key for session s even if she has learnt keys for other 
sessions s'. 

- Impersonation attack. If the adversary impersonates IDj to ID^, then she still 

learns zero information about the session key that the oracle 77? holds for this 

''J 

impersonated IDj since there is no matching oracle for 77|^ in this scenario. Thus 
A can use Test query to test this session key that 77*^ holds. 

- Unknown key share. If ID^ establishes a session key with ID; though he believes 
that he is talking to IDj, then there is an oracle 77*^ that holds this session key 

skij. At the same time, there is an oracle TJfj, that holds this session key skij, 
for some i' (normally i' = i). During an unknown key share attack, the user ID^ 
may not know this session key. Since 77^* and 77fj, are not matching oracles, the 
adversary can make the query Reveal (77;"-,) to learn this session key before the 
query Test(77fj ). Thus the adversary will succeed for this Test query challenge if 
the unknown key share attack is possible. 

However, the following important security properties that a secure key agreement scheme 
should have are not implied from the original BR-security model. 

- Perfect forward secrecy. This property requires that previously agreed session 
keys should remain secret, even if both parties' long-term private key materials 
are compromised. Bellare-Rogaway model does not capture this property. Canetti 
and Krawczyk's model |9| use the session-key expiration primitive to capture this 
property. Similar modification to Bellare-Rogaway model are required to capture 
this property also. We will give a separate proof that the IDAK key agreement 
protocol achieves weak perfect forward secrecy. Note that as pointed out in ||19I , 
no two-message key-exchange protocol authenticated with public keys and with no 
secure shared state can achieve perfect forward secrecy. 

- Key compromise impersonation resilience. If the entity A's long term private key 
is compromised, then the adversary could impersonate A to others, but it should not 
be able to impersonate others to A. Similar to wPFS property, Bellare-Rogaway 
model does not capture this property. We will give a separate proof that the IDAK 
key agreement protocol has this property. 



5 The security of ffiAK 

Before we present the security proof for the IDAK key agreement protocol, we first 
prove some preliminary results that wiU be used in the security proof. 

Lemma 3. Let Q = {Gp} be a bilinear group family, Gp = (G, Gi , e), gbea random 
generator of G, and n : G x G ^ Zq be a random oracle. Assume DBDH-Assumption 
holds for Q and let X and y be two distributions defined as 

and y = (7^,/-^5^^^e(5,5)(^''+-(«'"°'^''''°))(«o+-(5"''°'^''°))^e(5,<?)*) 
Then we have 

1. The two distributions X and y are computationally indistinguishable if TZ is de- 
fined as 

a, /3, 7, X, t, Xo are chosen from Z* uniformly, g^ = g'^ or r is either chosen from 
Z* uniformly, 5^ and g'^^" are chosen from G within polynomial time according 
to a fixed distribution given the view {g^ , g'^ , g" , g^ , g'^ , g^^°) without violating 
DBDH-Assumption. 

2. For any constant m < poly{k), the two distributions X and y are computationally 
indistinguishable ifTZ is defined as: 

{9,9'',9^9\{9''%9''',9A,l)ij,l<rnMf'^^''^''"''^''\9Ar^^^^ ■■ i,j,l< m)) 

where a, (3, 7, Xi are uniformly chosen from Z*, rj are either chosen from Z* uni- 
formly or g^^ = g^ , and g^^i is chosen within polynomial time according to a 
fixed distribution given the view {g^\ g^', g", g^ , g'^ , g^'^" : i,j,l < m) without 

violating DBDH-Assumption. 

3. For any constant m < poly{k), the two distributions X and y are computationally 
indistinguishable ifTZ = (72-1, 7?.2), where TZi is defined as the TZ in the item 2, and 
'1Z2 is defined as: 

{{9A,i,9''',9A,l)ij,l<rn,{K9A,i-9^''^'^-'''^-'\ : ij,l< m)) 

where rj are either chosen from Z* uniformly or g^^ = g^, gj^^^i and gj^^^i are chosen 
within polynomial time according to a fixed distribution given the view {g^\ g^K 
9"' 9^ , 9^ , 9^^° , 9^^° '■ < without violating DBDH-Assumption and with 
the condition that "9A,i 9^^° or g^^i ^ g'^y° ". Note that g^^i and g^^i could 
have different distributions. 

Proof. See Appendix. □ 

Theorem 3. Suppose that the functions H and tt are random oracles and the bilinear 
group family Q satisfies DBDH-Assumption. Then the IDAK scheme is a BR-secure key 
agreement protocol. 

Proof. See Appendix. □ 



6 Weak Perfect forward secrecy 



In this section, we show that the protocol IDAK achieves weak perfect forward secrecy 
property. Perfect forward secrecy property requires that even if AHce and Bob lose their 
private keys dm a = 5/I5a ^idb ~ 9m session keys established by Alice 
and Bob in the previous sessions are still secure. Krawczyk |19| pointed out that no 
two-message key-exchange protocol authenticated with public keys and with no secure 
shared state can achieve perfect forward secrecy. Weak perfect forward secrecy (wPFS) 
property for key agreement protocols sates as follows [ 19 |: any session key established 
by uncorrupted parties without active intervention by the adversary is guaranteed to 
remain secure even if the parties to the exchange are corrupted after the session key was 
erased from the parties memory (for a formal definition, the reader is referred to 1 19|). 

In the following, we show the IDAK achieves wPFS property. Using the simi- 
lar primitive of "session-key expiration" as in Canetti and Krawczyk's model jO), we 
can revise Bellare-Rogaway model so that wPFS property is provable also. In Bellare- 
Rogaway model, the 'Test{n^ ■) query is allowed only if the four properties in Section 
|4]are satisfied. We can replace the property "the adversary has never issued, at any time 
during its run, the query Corrupt(i) or Corrupt(j)" with the property "the adver- 
sary has never issued, before the session ilf^ is complete, the query Corrupt (i) or 
Corrupt(j)". We call this model the wpfsBR model. In the final version of this pa- 
per, we will show that the protocol IDAK is secure in the wpfsBR model. Thus IDAK 
achieves wPFS property. In the following, we present the essential technique used in the 
proof. It is essentially sufficient to show that the two distributions (7^, e((7iDA , 5iDb Y) 

and (7^,e(5IDA,5IDB)^''^''^^™■*'^™«''^^^^''^'''°^'^™^^^") are computationally indis- 
tinguishable for n = {gfj^^ , gfo^ , 5fj3^ , yf^^ ) and uniform at random chosen ^id^, 
5iDb , x,y,z,a. Consequently, it is sufficient to prove the following theorem. 

Theorem 4. Let Q — {Gp\ be a bilinear group family, Gp — (G, Gi , e). Assume that 
DBDH-Assumption holds for Q. Then the two distributions 

= (51 , 52 , 5f , 5? , 5f , 51: e(<7i , 52 )"^" ) 
and y = (51, 52, 5?, 52 :5i, 52 > 6(51,52)"') 

are computationally indistinguishable for random chosen gi, 172, y, 2, a. 

Proof. We use a random reduction. For a contradiction, assume that there is a polyno- 
mial time probabilistic algorithm V that distinguishes X and y with a non-negligible 
probability Sk- We construct a polynomial time probabilistic algorithm A that distin- 
guishes (7^,e(5,5)') and (7^, e(g, g)™*") with Sk, where 7^ = {g, g"" , ^ g"^) and 
u,v,w,t are uniformly at random in Zq. Let the input of A be {TZ,e{g,gY), where 
t is either uvw or uniformly at random in Zg. We construct A as follows. A chooses 
random ci, C2, C3, C4, C5 G Zq and sets gi — g'^^, g-z — 5^^, gf — g^'^^'^'^^ g^ = (^"^203^ 

5f =5''^^^S 5! =5"^^^S and 6(31,32)"^ -e(.g,5)*^l==^3C4C5.Let^(7^,e(<?,5)*) = 

1^ (51, 52, 5?, 52, 5i, 52, 6(51,52)") ■ Notethatif t = uvw, then ci, C2, a, x, y are uni- 
form in Zq (and independent of each other and of u, v, w) and xya — z. Otherwise, 



ci, C2, a, X, y are uniform in Zq and independent of each other and of u, v, w. There- 
fore, by the definitions, 

Pr [A (7^, e(g, g)"™) = 1] = Pr [V{X) = 1] 
and Pr [A (7^, e{g, gf) = 1] = Pr [D{y) - 1] 

Thus ^ distinguishes (5, 5", ff", 5™, e(5, 5)*) and (5, 5", 5", 5™, e(g, g)™"') with 4- 
This is a contradiction. □ 

Though Theorem |4] shows that the protocol IDAK achieves weak perfect forward 
secrecy even if both participating parties' long term private keys were corrupted, IDAK 
does not have perfect forward secrecy when the master secret a were leaked. The perfect 
forward secrecy against the corruption of a could be achieved by requiring Bob (the 
responder in the IDAK protocol) to send gf'p^ in addition to the value Rb — 9yDb 
by requiring both parties to compute the shared secret as H{g^^^ WskAs) where skAB 
is the shared secret established by the IDAK protocol. 



7 Key compromise impersonation (KCI) resilience 

In this section, we informally show that the protocol IDAK has the key compromise 
impersonation resilience property. That is, if Alice loses her private key dA = gfoA' 
then the adversary still could not impersonate Bob to Alice. For a formaly proof of KCI, 
we still need to consider the information obtained by the adversary by Reveal, Extract, 
Send, Corrupt queries in other sessions. This will be done in the final version of this 
paper 

In order to show KCI for IDAK, it is (informally) sufficient to show that the two dis- 

tributions I 7e,e (^.gfj)^ -gjo^ , i?B • .gj^^ j j and {TZ, e{gi^^, gi^^Y) 

are computationally indistinguishable for TZ = {gi^,^ , .gf^^ , Rb), where .^ida 1 9iDb ,x,z,a 
are chosen uniform at random, and Rb is, chosen according to some probabilistic poly- 

normal time distribution. Since the value e ( .RB-g^^j^ 1 is known, 

it is sufficient to prove the following theorem. 

Theorem 5. Let Q = {Gp} be a bilinear group family, Gp — (G, Gi, e). Assume that 
DBDH-Assumption holds for Q. Then the two distributions 

X=(^gi,g2,gf,gf,RB,e[gf,RB-g2^''"'''^y) 
and y = {gi,g2,g?,gf,RB,e{gi,g2y) 

are computationally indistinguishable for random chosen gi, g2,x, z,a, where Rb is 
chosen according to some probabilistic polynomial time distribution. 

Proof. Since gf is chosen uniform at random, and tt is a random oracle, we may assume 

that Rb ■ 32'^^ ^^ ^ uniformly distributed over G when i?s is chosen according to 
any probabilistic polynomial time distribution. Thus the proof is similar to the proof 
of Theorem|4]and the details are omitted. The theorem could also be proved using the 



Splitting lemma ||28l which was used to prove the fork lemma. Briefly, the Splitting 
lemma translates the fact that when a subset A is "large" in a product space X x Y, it 
has many large sections. Using the Splitting lemma, one can show that if V can distin- 
guish X and y, then by replaying V with different random oracle tt, one can get suf- 
ficient many tuples {gi,g2,gf,gf,RB,Tri,Tr2) such that (1) 7ri(i?B, .gf) ^2{RB,gf)\ 
(2) V distinguishes Xi and y (respectively X2 and 3^) when z is uniformly chosen 
but other values takes the values from the above tuple with tti (respectively 712)- Since 

Thus, for the above tuple, we can distinguish e (51, (72)^" from e (5, gY for random 
chosen z. This is a contradiction with the DBDH-Assumption. □ 
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8 Appendix 



8.1 Proof of Theorem[T] 

The fact that the CBDH- Assumption impHes the perfect-CBDH- Assumption is trivial. 
The converse is proved by the self-random-reduction technique (see I5I24I ). Let O be 
a CBDH oracle. That is, there exists a c > such that ([T]) holds with C replaced with 
O. We construct a perfect-CBDH algorithm C which makes use of the oracle O. Given 
g, g'^ , , € G, algorithm C must compute e((7, g)^^^ with overwhelming probability. 
Consider the following algorithm: select a, b, c €r Zq (unless stated explicitly, we use 
X Gfl X to denote that x is randomly chosen from X in the remainder of this paper) 
and output 

Ix.,y.z.a.b,c = • e(c,,5)-("''^+"''^+"3'^+'^!'=+^''-+^''^+^ac)^ 

One can easily verify that if 0{p, g, 5^=+°, 5^+"=) = e(g, g)i^+<^)(y+b)(z+c) ^ then 
Ix,y,z,a,b.c = 6(5,(7)^^^. Consequently, standard amplification techniques can be used 
to construct the algorithm C. The details are omitted. 

8.2 Proof of Lemma m 

For a contradiction, assume that there is a probabilistic polynomial-time algorithm V 

that distinguishes the two distributions X2 and with non-negligible probability Sk - In 

the following we construct a probabilistic polynomial-time algorithm 2?' to distinguish 

the two distributions Xi and 3^1. V is defined by letting V (7^, X,Y) =V {Tl, X ■ Y) 

for all 7^, and X, r e d. By this definition, we have Pr [V'^{Xi) l|7e,r] = Pr [^^(A'a) ^ l|7^,r], 

for any fixed internal coin tosses rofV and V . 

Let D'^^^ = {X:Vr (7^, X) = 1} and D'^^ = {(X, Y) : 2?; {U, X, Y) = 1}. 

By definition of V, we have D^,. = {{X,Y) : X ■ Y e D'^ ,.}. It follows that 

\DZ,r\ = g|i?^,.|andPr[P;(3^i) = l|7^,r] - |2?^;,|/q2 = |2?^,J|/q = Pri^.C^^) = l|7^,r]. 
Thus we have 

Pr [p;(3^i) = l|7e,r]) 

Vx\v,{y2) = \\n,r\) 



Hence, V distinguishes the distributions X\ and y\ with non-negligible probability 8k. 
This contradicts the assumption of the Lemma. 

8.3 Proof of Lemma |3] 

The Lemma could be proved using complicated version of the Splitting lemma by 
Pointcheval-Stern |28 | (see the proof of Theorem |7]i. In the following, we use the ran- 
dom reduction to prove the lemma. 



|Pr[P' (A'i) = l]-Pr[P'(yi) = l]| 

= E7^,rPl■[^.'^]•(Pr[^?r(A'2)-l|7^,r] 
= |Pr[P(A'2) = l]-Pr[P(3^2) = l]| 

> 4- 



1 . For a contradiction, assume that there is a polynomial time probabilistic algorithm 
V that distinguishes X and y. We construct a polynomial time probabihstic algorithm 
A that distinguishes (g, g", .g^ g-, e{g,gr) and (5, 5", ff", e(g, g)™'") with 4, 
where u,v,w,a are uniformly at random in Zq. 

Let the input of A be {g, g^,g^ , g^, e{g, gY), where a is either uvw or uniformly 
at random in Zq. A chooses uniformly at random ci, C2, C3, G Z^, sets 5" = 
gCiu+c2^ gP _ g"+c3^ gi — chooses uniformly at random r G or lets 

g"^ = gi^, chooses g''^°,gA G G within polynomial time according to any distribution 
given the view {g^ , .g", g^, g^ , g^^°) (the distributions for gj( ^ G and g^y° could 
be different). Since g^ and gf^^° are uniformly chosen from G, we may assume that 
the values of 7r(5^ , gji) and TTlg^^" , (7^^° ) are unknown yet. Without loss of generahty, 
we may assume that x + (3n{g^,gj\) and yo + T^ig^'^" , g^^°) take values C5 and cq 
respectively, where C5 and ce are uniformly chosen from Zq. In a summary, the value 
of TZ could be computed from g'^ , g"" , g^ , ci, C2, C3, C4, C5 efficiently. A then sets 

9Y = (^^Cia+C4(ci«+C2)(f + C3)+lil(citlC3+Cii; + C2C3) 

can compute e(5, ,s-'™))(ot+^(s^™ ,3""=°))* using the values of e{g,gy, 
xo, Tr{gl^'^°,g'iy°), cq. Let A {g, g"" , g'' , g"" , e{g, gf) = V{X), where A" is obtained 
from y by replacing t with f and taking the remaining values as defined above. 

Note that if a = uvw, then t — afi^, and X is distributed according to the distribu- 
tion X. That is, a, /?, 7, x, xq are uniform in Zq and independent of each other and of 
(it, V, w), (r, (7_4, 17'''^°) is chosen according to the specified distributions without vio- 
lating DBDH- Assumption. Otherwise, X is distributed according to the distribution X, 
and i is uniform in Zq and independent of a, /3, 7, x, Xq, r, u, v, w, g^, Therefore, 
by definitions, 

Pr[^((7,<7",g^<7«',e(5,5)"^'") = 1] = Pr [P(A') = 1] 
and Pr[A{g,g^,g-,g^,e{g,gr) = 1] = Pr [D{y) = 1] 

Thus ^ distinguishes (5, 5", 5", ff", e(g, g)'^) and (g, ff", 5", g"", e(g, g)™-) with 4, 
where a is uniform at random in Zq. This is a contradiction. 

2. This part of the Lemma could be proved in the same way. The details are omitted. 

3. Since "g_4.i 7^ g^^" ot g_A i ^ g'''^°", we may assume that the values of 7r(g^.i,gyl.i) 
and 7r(gyi.;, g^.i) are unknown yet. By the random oracle property of tt, this part of the 
Lemma could be proved in the same way as in item 1 . The details are omitted. 



9 Proof of Theorem |3] 

Proof. By Theorem|2] the condition 1 in the Definition |2] is satisfied for the IDAK key 
agreement protocol. In the following, we show that the condition 2 is also satisfied. 

For a contradiction, assume that the adversary A has non-negligible advantage 
5fc = Adv"^(fc) in guessing the value of h after the Test query. We show how to 
construct a simulator S that uses A as an oracle to distinguish the distributions X 
and y in the item 3 of Lemma |3] with non-negligible advantage 25k{qE — '^Y/Qe' 
where qe denotes the number of distinct iJ-queries that the algorithm A has made. 



The game between the challenger and the simulator S starts with the challenger first 
generating bilinear groups Gp = (G, Gi, e) by running the algorithm Instance Gen- 
erator. The challenger then chooses a,l3,'y,t Gfl, Zq and 6 Sfl {0,1}- The chal- 
lenger gives the tuple {p, g , g'^ , , g'^ , e{g , gY) to the algorithm S where i ~ aP^ 
if 6 = 1 and t = t otherwise. During the simulation, the algorithm S can ask the 
challenger to provide randomly chosen 5"*. S may then choose (with the help of A 
perhaps) 5^./ within polynomial time according to any distribution given the view 
{g^^ ^ 9" ^ 9^ : 9'' T g"^" '■ ^ ™) and sends (7^ i to the challenger. The challenger 
responds with eig=''+'^'"^^''' '^-^-'K gA,i ■ ^''^''^f-^ '^f"'))". At the end of the simulation, 
the algorithm S is supposed to output its guess b' e {0, 1} for b. It should be noted that 
if 6 = 1, then the output of the challenger together with the values g^^i selected by the 
simulator S is the tuple X of Lemma|3] and is the tuple y of Lemma[3]if 6 = 0. Thus 
the simulator S could be used to distinguish X and y of Lemma[3] 

The algorithm S selects two integers I, J < qe randomly and works by interacting 
with A as follows: 

Setup: Algorithm S gives A the IDAK system parameters {q, G, Gi, e, H, tt) where 
q, G, Gi , e are parameters from the challenger, H and tt are random oracles controlled 
by S as follows. 

7J-queries: At any time algorithm A can query the random oracle H using the queries 
Extract (IDi) or GetlD(IDi) = _ff (ID;). To respond to these queries algorithm S 
maintains an ij'*"* that contains a list of tuples {lDi,giD.). The list is initially empty. 
When A queries the oracle iJ at a point ID^, S responds as follows: 

1. If the query ID, appears on the ij'"** in a tuple {lDi,giD^), then S responds with 
i?(ID,) =5iD,. 

2. Otherwise, if this is the I-th new query of the random oracle H, S responds with 

= H{ID,) = 5*3, and adds the tuple {ID^g'^) to the iJ"^*. If this is the J-th 
new query of the random oracle, S responds with gi^^ — H{lDi) — g'*, and adds 
the tuple (ID,;, 5'') to the H^'"*. 

3. In the remaining case, selects a random Ti e Z^, responds with giD^ = -ff (ID;) = 

, and adds the tuple (ID, , ) to the iJ . 

TT-queries: At any time the challenger, the algorithm A, and the algorithm S can query 
the random oracle tt. To respond to these queries algorithm S maintains a tt'*'** that 
contains a list of tuples {gi,g2, '"'(ffij 92))- The list is initially empty. When A queries 
the oracle tt at a point (51, 32), S responds as follows: If the query (gi, (72) appears on 
the tt'**** in a tuple ((gi,52),7r(5i, 52)), then S responds with 7r(gi, (72)- Otherwise, S 
selects a random G Zg, responds with 7r((7i, 32) — Wi, and adds the tuple ((gi, 32), w^) 
to the tt'*'**. Technically, the random oracle vr could be held by an independent third 
party to avoid the confusion that the challenger also needs to access this random oracle 
also. 

Query phase: S responds to ^'s queries as follows. 

For a GetlD(IDi) query, S runs the iJ-queries to obtain a giD^ such that iJ(IDi) — 
(7iDi , and responds with gn). . 



For an Extract (ID^) query for the long term private key, if i = I OT i = J, then 
<S reports failure and terminates. Otherwise, S runs the /f-queries to obtain ^id^ = 

H{lDi) = g'^\ and responds diu^ = {fl^Y^ — .9ib- 

For a Send(i7/^ , X) query, we distinguish the following three cases: 

1. X = A. If z = / or J, <S asks the challenger for a random Ri G G (note that S 
does not know the discrete logarithm of Ri with base giDj, otherwise S chooses a 
random m G Z* and sets Ri — g^^,. S lets II reply with Ri. That is, we assume 
that IDj is carrying out an IDAK key agreement protocol with IDj and IDj sends 
the first message Ri to ID ^ . 

2. X 7^ A and the transcript of the oracle Ilfj is empty. In this case, TTf ^ is the 
responder to the protocol and has not sent out any message yet. If z = / or J, 5 asks 
the challenger for a random Ri e G, otherwise S chooses a random Ui e Z* and 
sets Ri = , . <S lets 11? j reply with Ri and marks the oracle 77?^- as completed. 

3. X ^ A and the transcript of the oracle 71/^ is not empty. In this case, 77?^ is the 
protocol initiator and should have sent out the first message already. Thus n? j does 
not need to respond anything. After processing the query Send(J7?^ ,X),S marks 
the oracle 77?^ as completed. 

For a Reveal (77/ J ) query, if i ^ 7 and i ^ J, S computes the session key 

skij — 6(5^^^'^'' • Rj, and responds with skij, here Rj is the mes- 

sage received by 77?^ . Note that the message Rj may not necessarily be sent by the 
oracle 77|^ for some s' since it could have been a bogus message from A. Otherwise, 
i = I OT i = J. Without loss of generality, we assume that i = 7. In this case, the or- 
acle nf j dose not know its private key g^". Thus it needs help from the challenger to 
compute the shared session key. Let 7?/ and Rj be the messages that 77| ^ has sent out 
and received respectively. 77/ ^ gives these two values to the challenger and the chal- 
lenger computes the shared session key skjj = e (gi£,^''^'^ ■ Rj, Rf^g^^^''^^^"^^. 
IIj J then responds with kjj . 

For a Corrupt (i) query, if i = 7 or i = J, then S reports failure and terminates. 
Otherwise, <S responds with diUi = {g^'Y* = giu^- 

For the Test(77f^) query, if ? 7^ 7 or j 7^ J, then S reports failure and terminates. 
Otherwise, assume that i = I and j = J. Let Ri = g^^^ be the message that 77?^ sends 
out (note that the challenger generated this message) and Rj = g^^^ be the message 
that j receives (note that 7?,/ could be the message that the challenger generated or 
could be generated by the algorithm A). S gives the messages 7?/ and Rj to the chal- 
lenger. The challenger computes X = e{g, gi)("/+'r(iJ/,iij))("j+7r(iJj-,iJ/))t gj^g^ x 

to S. S responds with X. Note that if i = 01^7, then X is the session key. Otherwise, 
X is a uniformly distributed group element. 

Guess: After the Test(77f ^ ) query, the algorithm A may issue other queries before fi- 
nally outputs its guess b' G {0, 1}. Algorithm <S outputs b' as its guess to the challenger. 

Claim: If S does not abort during the simulation then ^'s view is identical to its view 
in the real attack. Furthermore, if S does not abort, then |Pr[6 = 6'] — i | > 6k, where 
the probability is over all random coins used by <S and A. 



Proof of Claim: The responses to i/-queries and 7r-queries are the same as in the real 
attack since the response is uniformly distributed. All responses to the getID queries, 
private key extract queries, message delivery queries, reveal queries, and corrupt queries 
are valid. It remains to show that the response to the test query is valid also. When t is 
uniformly distributed over Z,, then Theorem|2]shows that X = e(g, 
is uniformly distributed over G and is computationally indistinguishable from a ran- 
dom value before ^'s view. Therefore, by definition of the algorithm A, we have 
|Pr[6 = 6'] - i| > 4. □ 

Suppose A makes a total of qs iJ-queries. We next calculate the probability that S 
does not abort during the simulation. The probability that S does not abort for Extract 
queries is [qe ~ 2)/qE- The probability that S does not abort for Corrupt queries is 
{qs — 2) /qE- The probability that S does not abort for Test queries is 2 /q^^. Therefore, 
the probability that S does not abort during the simulation i5 2{qE — 2)'^/q'^. This shows 
that iS's advantage in distinguishing the distributions X and y in Lemma |3] is at least 
2Sk{qE — '^Y 11% which is non-neghgible. 

To complete the proof of Theorem |3] it remains to show that the communications 
between S and the challenger are carried out according to the distributions X and y of 

LemmaE] ForaReveal(7T|^) query, the challenger outputs e (sid^"^"' • Rj.RJ^g'^''"'''^'^"'^^ 
to the algorithm S. Let Rj = , Rj = gj(, and gm = g^. Then x is chosen uniform 
at random from Zq, r is chosen uniform at random from Z* when j J or r — j 
when j = J, and the value of gj, is chosen by the algorithm A or by the algorithm S or 
by the challenger in probabilistic polynomial time according to the current views. For 
example, if is chosen by the algorithm A, then A may generate 5^ as the combina- 
tion (e.g., multiplication) of some previously observed messages/values or generate it 
randomly. Thus the communication between the challenger and the algorithm S during 
Reveal(7T| j ) queries is carried out according to the distributions X and y of Lemma 
[3] The case for Reveal(7Tjj ) queries is the same. 

FortheTest(JJ| j) query, the challenger outputs X = e{g,g)'''"+'^^^'-"-'^^''"-'+'^^^-'^^'^^* 
to the algorithm S, where Rj = g^"^' and Rj = .g'*'"'. Let xq — uj and i/q = uj. Then 
xo is chosen uniform at random from Zq and the value of is chosen by the algo- 
rithm A or by the challenger in probabilistic polynomial time according to the current 
views. Similarly, A may choose g'^y° as the combination (e.g., multiplication) of some 
previously observed messages/values. The communication between the challenger and 
the algorithm S during the Test(7T| j) query is carried out according to the distribu- 
tions X and 3^ of Lemma[3] 

It should be noted that after the Test(77| j) query, the adversary may create bogus 
oracles for the participants ID/ and ID,/ and send bogus messages that may depend 
on all existing communicated messages (including messages held by the oracle Ilf j) 
and then reveal session keys from these oracles. In particular, the adversary may play 
a man in the middle attack by modifying the messages sent from 7T| j to Uj j and 
modifying the messages sent from Uj j to Ilf j. Then the oracles Uj j and JJf j are not 
matching oracles. Thus A can reveal the session key held by the oracle Uj j before the 
guess. In the TZ2 part in the distributions X and y of Lemma|3] we have the condition 
"gA,i 7^ g^^" or g_A,i ^ g'yyo" (this condition holds since the algorithm A has not 



revealed the matching oracles for 7T| j). If both ^ 5^^" and gj\j ^ g^^°, then the 
oracle 11 j j is a matching oracle for i7| j and A is not allowed to reveal the session 
key held by the oracle 77 jj. Thus the communication between the challenger and the 
algorithm S during these Test(7T| j) query is carried out according to the distributions 
X and y of Lemma[3] 

In the summary, all communications between the challenger and S are carried out 
according to the distributions X and y of Lemma |3] This completes the proof of the 
Theorem. □ 

10 Practical considerations and applications 

10.1 The function tt 

Though in the security proof of IDAK key agreement protocol, tt is considered as a 
random oracle. In practice, we can use following simplified tt functions. 

- TT is a random oracle (secure hash function) from G x G to Z*^i^^^-^/^ (e.g., c = 2). 

- \f gi = (xgj , j/gj ) , 52 = {xg2 , 2/92 ) £ G are points on an elliptic curve, then 
let 7r((/i, 52) = Xg mod 21^3 1/-^ where Xg = Xg^ © Xg^. That is, 7r((7i, 52) is the 
exclusive-or of the second half parts of the first coordinates of the elliptic curve 
points gi and g2- 

- TT is a random oracle that the output only depends on the the first input variable or 
any of the above function restricted in such a way that the output only depends on 
the the first input variable. In another word, tt : G — > Z*. 

It should be noted any tt function, for which Lemma[3]holds, can be used in the IDAK 
protocol. Though we do not know whether Lemma |3] holds for tt functions that we 
have listed above, we have strong evidence that this is true. First, if we assume that the 
group G2 is a generic group in the sense of Nechaev [25J and Shoup |34|. Then we 
can prove that Lemma [3] holds for the above vr functions. Secondly, if the distribution 
5(3^1 9^ ^ ff^j 5^5 5*^^") in Lemma|3]is restricted to the distribution: 

^gi{x,r,a,i3,'j,i3xa,y) ; J is a linear function, y is a tuple of uniformly random values from Zq}. 

Then we can prove that Lemma[3]holds for the above tt functions. We may conjecture 
that the adversary algorithm A can only generate 5^ and g'^y° according to the above 
distribution unless CDH- Assumption fails for G. Thus, under this conjecture (without 
the condition that G2 is a generic group), the above list of tt functions can be used in 
IDAK protocol securely. 

10.2 Performance 

Our analysis in this section will be based on the assumption that tt is a random oracle 
(secure hash function) from G x G to Z*^^^, Since the computational cost for Alice 
is the same as that for Bob. In the following, we will only analyze Alice's computation. 



First, Alice needs to choose a random number x and compute gfj^^ in the group 

G. In order for AHce to compute sk = e ^ffjo • 5ida*^^") ' needs to do 1.5 
exponentiation in G, one multiplication in G, and one pairing. Thus in total, she needs 
to do 2.5 exponentiation in G, one multiplication in G, and one pairing. 

Alternatively, Alice can compute the shared secret as sfc = e {gi£^ ■ Rb, 5ida ) '^^^'^ 
Thus for the entire IDAK protocol, Alice needs to do 1.5 exponentiation in G (one for 
(^fp^ and 0.5 for ^jj^ ), one multiplication in G, one pairing, and one exponentiation in 
Gi. 

The IDAK protocol could be sped up by letting each participant do some pre- 
computation. For example, Alice can compute the values of gf^,^ and gf^^ before the 
protocol session. During the IDAK session, Alice can compute the shared secret as 
sk — e (s'lD g ■ Rb, fffo^ ■ 5ida ) which needs 1 exponentiation in G (0.5 for ffjo ^ and 
0.5 for g"^^), 2 multiplications in G, and one pairing. Alternatively, Alice can compute 

the shared secret as sfc = e (.gJif^ • .9ida)^^*^ which needs 0.5 exponentiation in 
G, one multiplication in G, one pairing, and one exponentiation in Gi. In a summary. 
Figure [T] lists the computational cost for Alice (an analysis of all other identity based 
key agreement protocols shows IDAK is the most efficient one, details will be given in 
the final version of this paper). 
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Fig. 1. IDAK Computational Cost for Alice 



